npm - @shriyanss/js-recon - Versions diffs - 1.3.1-alpha.1 → 1.3.1-alpha.3 - Mend

@shriyanss/js-recon 1.3.1-alpha.1 → 1.3.1-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (111) hide show

package/.github/workflows/pr_checker.yml +9 -8
package/CHANGELOG.md +47 -0
package/CLAUDE.md +136 -0
package/build/analyze/engine/astEngine.js +34 -6
package/build/analyze/engine/astEngine.js.map +1 -1
package/build/analyze/engine/index.js +2 -2
package/build/analyze/engine/index.js.map +1 -1
package/build/analyze/helpers/engineHelpers/taintFlow.js +218 -0
package/build/analyze/helpers/engineHelpers/taintFlow.js.map +1 -0
package/build/analyze/helpers/schemas.js +3 -1
package/build/analyze/helpers/schemas.js.map +1 -1
package/build/analyze/helpers/validate.js +49 -9
package/build/analyze/helpers/validate.js.map +1 -1
package/build/analyze/index.js +3 -2
package/build/analyze/index.js.map +1 -1
package/build/globalConfig.js +1 -1
package/build/index.js +21 -1
package/build/index.js.map +1 -1
package/build/lazyLoad/downloadFilesUtil.js +3 -3
package/build/lazyLoad/downloadFilesUtil.js.map +1 -1
package/build/lazyLoad/downloadQueue.js +190 -0
package/build/lazyLoad/downloadQueue.js.map +1 -0
package/build/lazyLoad/index.js +57 -55
package/build/lazyLoad/index.js.map +1 -1
package/build/lazyLoad/next_js/NextJsCrawler.js +34 -11
package/build/lazyLoad/next_js/NextJsCrawler.js.map +1 -1
package/build/lazyLoad/next_js/next_GetJSScript.js +24 -3
package/build/lazyLoad/next_js/next_GetJSScript.js.map +1 -1
package/build/lazyLoad/next_js/next_SubsequentRequests.js +20 -2
package/build/lazyLoad/next_js/next_SubsequentRequests.js.map +1 -1
package/build/lazyLoad/next_js/next_scriptTagsSubsequentRequests.js +10 -1
package/build/lazyLoad/next_js/next_scriptTagsSubsequentRequests.js.map +1 -1
package/build/lazyLoad/techDetect/checkReact.js +13 -2
package/build/lazyLoad/techDetect/checkReact.js.map +1 -1
package/build/lazyLoad/techDetect/index.js +37 -24
package/build/lazyLoad/techDetect/index.js.map +1 -1
package/build/lazyLoad/vue/vue_discoverJsFiles.js +25 -11
package/build/lazyLoad/vue/vue_discoverJsFiles.js.map +1 -1
package/build/lazyLoad/vue/vue_getClientSidePaths.js +31 -4
package/build/lazyLoad/vue/vue_getClientSidePaths.js.map +1 -1
package/build/lazyLoad/vue/vue_recursiveClientSidePathDownload.js +3 -3
package/build/lazyLoad/vue/vue_recursiveClientSidePathDownload.js.map +1 -1
package/build/lazyLoad/vue/vue_stringJsFiles.js +142 -0
package/build/lazyLoad/vue/vue_stringJsFiles.js.map +1 -0
package/build/load/index.js +316 -0
package/build/load/index.js.map +1 -0
package/build/map/index.js +42 -5
package/build/map/index.js.map +1 -1
package/build/map/next_js/getExports.js +11 -5
package/build/map/next_js/getExports.js.map +1 -1
package/build/map/next_js/getFetchInstances.js +11 -5
package/build/map/next_js/getFetchInstances.js.map +1 -1
package/build/map/next_js/interactive.js +30 -0
package/build/map/next_js/interactive.js.map +1 -1
package/build/map/next_js/interactive_helpers/commandHandler.js +22 -0
package/build/map/next_js/interactive_helpers/commandHandler.js.map +1 -1
package/build/map/next_js/interactive_helpers/esqueryGen.js +370 -0
package/build/map/next_js/interactive_helpers/esqueryGen.js.map +1 -0
package/build/map/next_js/interactive_helpers/helpMenu.js +1 -0
package/build/map/next_js/interactive_helpers/helpMenu.js.map +1 -1
package/build/map/next_js/interactive_helpers/inputPatch.js +207 -0
package/build/map/next_js/interactive_helpers/inputPatch.js.map +1 -0
package/build/map/next_js/interactive_helpers/ui.js +0 -1
package/build/map/next_js/interactive_helpers/ui.js.map +1 -1
package/build/map/next_js/resolveAxios.js +24 -5
package/build/map/next_js/resolveAxios.js.map +1 -1
package/build/map/next_js/resolveAxiosHelpers/astNodeToJsonString.js +2 -2
package/build/map/next_js/resolveAxiosHelpers/astNodeToJsonString.js.map +1 -1
package/build/map/next_js/resolveAxiosHelpers/findCrossChunkParams.js +11 -5
package/build/map/next_js/resolveAxiosHelpers/findCrossChunkParams.js.map +1 -1
package/build/map/next_js/resolveAxiosHelpers/interceptorHeaders.js +206 -0
package/build/map/next_js/resolveAxiosHelpers/interceptorHeaders.js.map +1 -0
package/build/map/next_js/resolveAxiosHelpers/processAxiosCall.js +25 -8
package/build/map/next_js/resolveAxiosHelpers/processAxiosCall.js.map +1 -1
package/build/map/next_js/resolveAxiosHelpers/processDirectAxiosCall.js +14 -6
package/build/map/next_js/resolveAxiosHelpers/processDirectAxiosCall.js.map +1 -1
package/build/map/next_js/resolveAxiosHelpers/traceAxiosInstanceExports.js +22 -10
package/build/map/next_js/resolveAxiosHelpers/traceAxiosInstanceExports.js.map +1 -1
package/build/map/next_js/resolveAxiosHelpers/traceBody.js +913 -0
package/build/map/next_js/resolveAxiosHelpers/traceBody.js.map +1 -0
package/build/map/next_js/resolveFetch.js +115 -3
package/build/map/next_js/resolveFetch.js.map +1 -1
package/build/map/next_js/resolveNewRequest.js +749 -0
package/build/map/next_js/resolveNewRequest.js.map +1 -0
package/build/map/next_js/utils.js +397 -49
package/build/map/next_js/utils.js.map +1 -1
package/build/map/vue_js/getViteConnections.js +27 -3
package/build/map/vue_js/getViteConnections.js.map +1 -1
package/build/map/vue_js/interactive.js +28 -0
package/build/map/vue_js/interactive.js.map +1 -1
package/build/map/vue_js/interactive_helpers/commandHandler.js +22 -0
package/build/map/vue_js/interactive_helpers/commandHandler.js.map +1 -1
package/build/map/vue_js/interactive_helpers/helpMenu.js +1 -0
package/build/map/vue_js/interactive_helpers/helpMenu.js.map +1 -1
package/build/map/vue_js/vue_resolveFetch.js +722 -0
package/build/map/vue_js/vue_resolveFetch.js.map +1 -0
package/build/report/utility/populateDb/populateAnalysisFindings.js +1 -1
package/build/report/utility/populateDb/populateAnalysisFindings.js.map +1 -1
package/build/run/index.js +27 -5
package/build/run/index.js.map +1 -1
package/build/strings/index.js +5 -1
package/build/strings/index.js.map +1 -1
package/build/utility/globals.js +9 -0
package/build/utility/globals.js.map +1 -1
package/build/utility/makeReq.js +90 -11
package/build/utility/makeReq.js.map +1 -1
package/build/utility/openapiGenerator.js +60 -4
package/build/utility/openapiGenerator.js.map +1 -1
package/build/utility/postmanGenerator.js +167 -0
package/build/utility/postmanGenerator.js.map +1 -0
package/package.json +2 -2

package/.github/workflows/pr_checker.yml CHANGED Viewed

@@ -8,16 +8,17 @@ on:
 jobs:
   check-branch:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v4
-      - name: Check source branch
-        if: github.head_ref != 'dev'
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Redirect PR to dev
+        if: github.head_ref != 'dev' || github.event.pull_request.head.repo.full_name != 'shriyanss/js-recon'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_URL: ${{ github.event.pull_request.html_url }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
           BRANCH_NAME: ${{ github.head_ref }}
+          SOURCE_REPO: ${{ github.event.pull_request.head.repo.full_name }}
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          gh pr comment $PR_URL --body "This merge is not possible. Create a PR for $BRANCH_NAME -> dev"
-          gh pr close $PR_URL
+          gh pr edit $PR_NUMBER --base dev
+          gh pr comment $PR_NUMBER --body "This PR was targeting \`main\`, but only the \`dev\` branch of \`shriyanss/js-recon\` can merge directly into \`main\`. The target branch has been changed to \`dev\` (source: \`$SOURCE_REPO:$BRANCH_NAME\`)."

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,52 @@
 # Change Log
+## 1.3.1-alpha.3 - 2026-05-20
+### Added
+- Add version for rule templates
+- Add Vue js support for analyze module
+- `esquery` interactive command + headless `-c/--command` runner for `map` and `run`, with `&&` chaining (`map`)
+- Line-editor behavior in interactive mode: cursor movement (left/right/home/end/ctrl-a/ctrl-e), word-wise motion/delete (ctrl-w, ctrl-left/right), kill-to-start/end (ctrl-u/ctrl-k), delete-at-cursor, mid-string insertion so paste lands at the cursor, and horizontal scroll for long inputs (`map -i`)
+### Changed
+- Removed `mouse: true` from the interactive output pane so terminal-native text selection/copy works in the output area (`map -i`)
+- Vue.js fetch resolver now walks back to the enclosing wrapper function's caller(s) so `URLSearchParams(param.subprop)` expands to real `?k1={k1}&k2={k2}` query strings and spread-header / member-value placeholders get substituted from the caller's object literal — including transitive resolution when the caller passes its own param through (`map`)
+- Vue.js fetch resolver recognises destructured fetch wrappers (e.g. `const { wrapperKey: x } = factory({ ... })`) and resolves their callsites as fetch calls, with positional-first-arg filtering to avoid mis-identifying object-shaped wrappers that construct the URL from a property of their input (`map`)
+- Distinct callsites for the same `(path, method)` are preserved in both the OpenAPI spec (path key gets a `#N` suffix) and the Postman collection (request name gets a `#N` suffix) instead of being collapsed to a single entry (`map`)
+### Fixed
+- Spread elements in request bodies and option objects are no longer silently dropped when the spread argument is unresolvable — the output surfaces a sentinel key (e.g. `"...arg": "<spread>"`, `"...call()": "<spread>"`) so downstream readers know more fields exist at runtime (`map`)
+## 1.3.1-alpha.2 - 2026-05-18
+### Added
+- Added taint analysis in the `analyze` engine for Next.js
+- Download JS files as soon as they are discovered (`lazyload`)
+- Recursively resolve HTTP requests in Next.js (`map`)
+- Stream JS file downloads during Vue.js discovery — downloads start as soon as each discovery step finds files instead of waiting for the full pipeline (`lazyload`)
+- Resolve `UnaryExpression` nodes (`!x`, `void 0`, `-x`, `typeof x`) so request bodies surface real boolean/null values instead of `[unsupported node type: UnaryExpression]` (`map`)
+- Resolve `ArrayExpression` nodes recursively so array body fields render their element shape instead of `[unsupported node type: ArrayExpression]` (`map`)
+- Resolve `JSON.stringify(variable)` calls by tracing the argument, replacing the opaque `[call:JSON.stringify()]` placeholder (`map`)
+- Resolve `new URLSearchParams({...})` to a real query string, using `{key}` placeholders for values that can't be statically resolved (`map`)
+- Partial-concatenation fallback for binary `+` expressions so resolvable fragments are preserved when one side is unresolved (`map`)
+### Changed
+- Nested `JSON.stringify(expr)` inside a body object now resolves `expr` instead of emitting `[call to object...]` (`map`)
+### Fixed
+- Invalidate request cache if the memory is full
+- Progress bars no longer hide the terminal cursor permanently when they exit without a clean `stop()` — all bars now use `hideCursor: false` (`lazyload`)
+- Removed the concurrent download progress bar in the Vue.js section that was causing display corruption — discovery `console.log` calls no longer collide with the bar's render line (`lazyload`)
+- API spec / Postman collection URLs no longer get `{{baseUrl}}` prepended to already-absolute URLs — full URLs are now reduced to their pathname (`map`)
+- Spread elements that can't be resolved are now skipped instead of being emitted as fake `"...spread": "[spread:e]"` body fields (`map`)
+- Request bodies that reduce to an empty `{}` after resolution are now omitted from the Postman collection (`map`)
 ## 1.3.1-alpha.1 - 2026.05.13
 ### Added

package/CLAUDE.md ADDED Viewed

@@ -0,0 +1,136 @@
+# js-recon
+Static analysis tool that maps API endpoints and detects client-side security issues by analyzing Next.js (webpack/turbopack) and Vue.js bundles. Written in TypeScript, compiled to `build/` before running.
+## Build & run
+```bash
+npm run cleanup   # rm -rf build/ + tsc (full rebuild)
+npm run start -- <subcommand> [options]
+```
+`cleanup` must be run before testing any TypeScript change when using the `run` command.
+## Subcommands
+| Command       | Purpose                                                         |
+| ------------- | --------------------------------------------------------------- |
+| `lazyload`    | Download JS chunks from a target URL                            |
+| `strings`     | Extract strings/paths/secrets from JS files                     |
+| `map`         | Parse webpack/turbopack bundles into a structured `mapped.json` |
+| `endpoints`   | Extract client-side routes                                      |
+| `analyze`     | Run YAML rules against `mapped.json` / OpenAPI spec             |
+| `report`      | Generate HTML/SQLite report                                     |
+| `run`         | Run all of the above in sequence (primary interface)            |
+| `api-gateway` | Manage AWS API Gateway for IP rotation                          |
+| `mcp`         | Interactive AI-powered CLI                                      |
+## Key source files
+- `src/index.ts` — CLI entry point; all subcommand definitions and option declarations live here
+- `src/run/index.ts` — orchestrates the full pipeline (`run` subcommand); two tech-specific flows (Next.js 8-step, Vue 4-step)
+- `src/analyze/index.ts` — loads/validates rules, runs AST and request engines
+- `src/analyze/helpers/initRules.ts` — downloads/caches rules from GitHub to `~/.js-recon/rules`
+- `src/analyze/helpers/validate.ts` — validates rules and checks `js_recon_version` compatibility
+- `src/analyze/helpers/schemas.ts` — Zod schema for rule YAML files
+- `src/map/next_js/resolveFetch.ts` — resolves `fetch()` calls, detects Next.js framework chunks
+- `src/map/next_js/utils.ts` — `resolveNodeValue`, `resolveVariableInChunk`, `substituteVariablesInString`
+- `src/map/next_js/getWebpackConnections.ts` — extracts chunk code from webpack bundles
+- `src/map/next_js/interactive_helpers/esqueryGen.ts` — `esquery` interactive command: minifies a pasted snippet, matches it against each chunk's minified AST nodes, prints loose/strict selectors. Vue's command handler imports the same module — keep it framework-agnostic.
+- `src/map/next_js/interactive.ts` / `src/map/vue_js/interactive.ts` — export both the blessed-backed `interactive()` entry and a headless `runCommands(chunks, mapFile, commands)` that pipes `outputBox.log` to stdout for `-c/--command` execution.
+- `src/map/next_js/interactive_helpers/inputPatch.ts` — `enableCursorInput(inputBox)` patches a blessed textbox instance to support cursor movement, mid-string insertion, and paste-at-cursor. It overrides `_listener`/`setValue`/`_updateCursor`/`clearValue` on the instance. **Don't try to remove blessed's listener after the fact** — blessed re-binds `this._listener` on every focus, so overriding `_listener` on the instance is the only race-free approach. Shared by Next.js and Vue interactive entries.
+- `src/globalConfig.ts` — current version string and tool-wide constants
+- `src/utility/globals.ts` — mutable global state (tech detection result, AI config, OpenAPI flag, etc.)
+## `run` pipeline in detail
+`run` is the primary subcommand. It calls `processUrl` for each target, which dispatches to one of two pipelines based on the detected front-end framework (`globalsUtil.getTech()`).
+### Next.js pipeline (8 steps)
+1. **Lazyload** — downloads initial JS chunks via Puppeteer; detects framework; sets `globalsUtil.getTech()` to `"next"`
+2. **Strings** — scans downloaded JS for strings, extracts URL paths → `extracted_urls.json`
+3. **Lazyload (subsequent requests)** — re-crawls using the extracted paths to fetch dynamically loaded chunks; also fetches `buildId`
+4. **Strings (pass 2)** — re-runs strings on the expanded chunk set; generates `extracted_urls.txt` (permuted) and `extracted_urls-openapi.json`; optionally scans secrets (`--secrets`)
+5. **Lazyload re-pass (step 4.5)** — a second subsequent-requests crawl to pick up chunks for dynamic routes discovered in pass 2
+6. **Strings re-pass (step 4.6)** — strings pass over the re-pass chunks
+7. **Map** — parses webpack/turbopack bundles; resolves `fetch()` calls and axios usage; generates `mapped.json` and `mapped-openapi.json`; CDN-aware: if JS was served from a different host, `getCdnDir` finds the CDN output dir and passes that to map instead of `outputDir/host`
+8. **Endpoints** — extracts client-side route paths; uses `___subsequent_requests` directory presence to decide whether to pass a JS directory
+9. **Analyze** — loads YAML rules (from `-r/--rules` if provided, otherwise default rules cache); runs AST engine and request engine; writes `analyze.json`
+10. **Report** — populates SQLite DB (`js-recon.db`) and generates HTML report
+### Vue.js pipeline (4 steps)
+1. **Lazyload** — same as Next.js step 1; sets `globalsUtil.getTech()` to `"vue"`
+2. **Map** — scans the entire `outputDir` (Vue chunks spread across asset hosts)
+3. **Analyze** — same rule loading as Next.js; `-r/--rules` is forwarded here too
+4. **Report** — same as Next.js; if `endpoints.json` doesn't exist it is written as `[]` since Vue endpoints extraction isn't implemented yet
+### Tech detection flow
+`lazyLoad` sets the global tech string. If it remains `""` after lazyload, `run` exits (single URL) or skips (batch). Techs other than `"next"` and `"vue"` only get lazyload; the rest of the pipeline is skipped with a warning.
+### Batch mode
+When `-u` points to a file of URLs, each line is processed sequentially. For each URL:
+- A subdirectory `output/<host>/` is created
+- `clearJsUrls()` / `clearJsonUrls()` reset the URL sets so previous targets don't bleed over
+- All output paths are prefixed with `workingDir/`
+## Adding a new flag to `run`
+1. Declare the option in `src/index.ts` on the `run` command (`.option(...)`)
+2. If it configures a global, call the setter in the `action` handler before `await run(cmd)`
+3. If it needs to reach a downstream module (like `analyze`), thread it through `cmd` — `processUrl` receives the full `cmd` object and passes it to submodule calls
+**Example — `-r/--rules` flag (added in this codebase):**
+- Declared in `src/index.ts`: `.option("-r, --rules <file/dir>", "Rules file or directory (passed to analyze module)")`
+- In `src/run/index.ts` the `analyze` calls use `cmd.rules || ""` — empty string tells `analyze` to use the default rules cache
+## Interactive-mode commands
+The `map -i` blessed UI dispatches user input through `interactive_helpers/commandHandler.ts`. The same handler runs headlessly when commands are supplied via `-c/--command`:
+- The `-c` option's commander coerce function splits each value on `&&` (with optional whitespace) and concatenates into a single command array. So `-c "list fetch && esquery * fetch"` is two commands; passing `-c` twice has the same effect.
+- `map`'s entry point checks `commands.length > 0` first — if non-empty, it calls `nextRunCommands` / `vueRunCommands` and skips the blessed UI even when `-i` is also set.
+- New commands should be added to **both** `next_js/interactive_helpers/commandHandler.ts` and `vue_js/interactive_helpers/commandHandler.ts`, plus the corresponding `helpMenu.ts` entry. When the implementation is framework-agnostic (e.g. `esquery`), put it under `next_js/interactive_helpers/` and import it from the Vue handler — don't duplicate.
+## Rules
+Rules are YAML files (`.yml`/`.yaml`) in two places:
+- **Workspace:** `../js-recon-rules/` (relative to this repo)
+- **Installed cache:** `~/.js-recon/rules`
+`initRules` downloads rules from GitHub when missing or when the cached version doesn't match the latest release. `js_recon_version` (required) must be declared in every rule (e.g. `js_recon_version: ">=X.Y.Z"`); `initRules` uses it to validate compatibility and skips incompatible rules with a warning. The version check strips prerelease suffixes (e.g. `1.3.1-alpha.3` → `[1,3,1]`).
+Rule categories:
+- `ast/` — AST-based pattern matching against chunk code (uses `@babel/parser` + `esquery`)
+- `request/` — OpenAPI/request-level checks against the resolved endpoint list
+When `-r` points to a single file, only that rule is loaded. When it points to a directory, all `.yml`/`.yaml` files are loaded recursively.
+## Testing a change
+**Testing is mandatory for every change.** Before reporting a task complete:
+1. Run `npm run cleanup` to rebuild TypeScript.
+2. Run the `run` subcommand against the target the user provides. Do not use `analyze` or other individual subcommands as a substitute — the `run` subcommand must be used to validate end-to-end behavior.
+3. If the user has not provided a target, ask for one before proceeding.
+Typical test invocation:
+```bash
+npm run cleanup && npm run start -- run -u <target-url> -y -k
+```
+## Security / confidentiality
+When a change is informed by behavior observed on a real target (URLs, endpoint names, response shapes, finding details, etc.):
+- **Do not include any target information in code comments, commit messages, docstrings, variable names, or any other artifact.**
+- This applies to hostnames, paths, parameter names, response content, or any other detail that could identify the target.
+- If context from the target is needed to describe a change, describe it in abstract terms only (e.g. "URL parameter passed to fetch" not "https://example.com/api/docs passes `file` param to fetch").

package/build/analyze/engine/astEngine.js CHANGED Viewed

@@ -16,6 +16,7 @@ import { highlight } from "cli-highlight";
 import { resolveFunctionIdentifier } from "../helpers/engineHelpers/resolveFunctionIdentifier.js";
 import { findMemberExpressionAssignment } from "../helpers/engineHelpers/findMemberExpressionAssignment.js";
 import { findDirectAssignment } from "../helpers/engineHelpers/findDirectAssignment.js";
+import { computeTaint, sinkConsumesTaint } from "../helpers/engineHelpers/taintFlow.js";
 /**
  * ESQuery-based AST analysis engine for detecting code patterns using custom rules.
  *
@@ -32,13 +33,22 @@ const esqueryEngine = (rule, mappedJsonData) => __awaiter(void 0, void 0, void 0
     let findings = [];
     for (const chunk of Object.values(mappedJsonData)) {
         // first of all, load the code in ast
-        const ast = parser.parse(chunk.code, {
-            sourceType: "unambiguous",
-            plugins: ["jsx", "typescript"],
-            errorRecovery: true,
-        });
+        let ast;
+        try {
+            ast = parser.parse(chunk.code, {
+                sourceType: "unambiguous",
+                plugins: ["jsx", "typescript"],
+                errorRecovery: true,
+            });
+        }
+        catch (_c) {
+            continue;
+        }
         let matchList = {};
         const completedSteps = new Set();
+        // Cache taint info per "source step name" so we don't recompute when several
+        // sink steps share the same source step.
+        const taintCache = {};
         // iterate through the steps in the rule
         for (const step of rule.steps) {
             // honor `requires`: skip the step if any of its required steps did not complete
@@ -64,7 +74,25 @@ const esqueryEngine = (rule, mappedJsonData) => __awaiter(void 0, void 0, void 0
                     searchRoot = scopeMatch.node;
                 }
                 // match the query against what is there in the user defined config file
-                const matches = esquery(searchRoot, selector);
+                let matches = esquery(searchRoot, selector);
+                // Optional data-flow filter: only keep matches whose value-side actually
+                // consumes a value tainted by the named source step's matches. This is
+                // what distinguishes a real source→sink finding from accidental
+                // source-and-sink-in-the-same-bundle co-occurrence.
+                if (matches.length > 0 && step.esquery.taintFrom) {
+                    const sourceStepName = step.esquery.taintFrom;
+                    const sourceMatch = matchList[sourceStepName];
+                    if (!sourceMatch) {
+                        // No source matched — nothing can be tainted from it.
+                        continue;
+                    }
+                    if (!taintCache[sourceStepName]) {
+                        const sourceNodes = sourceMatch.allNodes || [sourceMatch.node];
+                        taintCache[sourceStepName] = computeTaint(ast, sourceNodes);
+                    }
+                    const taint = taintCache[sourceStepName];
+                    matches = matches.filter((m) => sinkConsumesTaint(ast, m, taint));
+                }
                 if (matches.length > 0) {
                     // store the first match as the "primary" node so later steps can reference it,
                     // and keep the full match list available for tooling that wants it.

package/build/analyze/engine/astEngine.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"astEngine.js","sourceRoot":"","sources":["../../../src/analyze/engine/astEngine.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,MAAM,MAAM,eAAe,CAAC;AAEnC,OAAO,UAAU,MAAM,kBAAkB,CAAC;AAC1C,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC;AACrC,OAAO,OAAO,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,yBAAyB,EAAE,MAAM,uDAAuD,CAAC;AAClG,OAAO,EAAE,8BAA8B,EAAE,MAAM,4DAA4D,CAAC;AAC5G,OAAO,EAAE,oBAAoB,EAAE,MAAM,kDAAkD,CAAC;~~AAGxF~~;;;;;;;;;;GAUG;AACH,MAAM,aAAa,GAAG,CAAO,IAAU,EAAE,cAAsB,EAA2B,EAAE;;IACxF,IAAI,QAAQ,GAAmB,EAAE,CAAC;IAElC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;QAChD,qCAAqC;QACrC,~~MAAM~~,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE;~~YACjC~~,UAAU,EAAE,aAAa;~~YACzB~~,OAAO,EAAE,CAAC,KAAK,EAAE,YAAY,CAAC;~~YAC9B~~,aAAa,EAAE,IAAI;~~SACtB~~,CAAC,CAAC;~~QAEH~~,IAAI,SAAS,GAAsE,EAAE,CAAC;QACtF,MAAM,cAAc,GAAgB,IAAI,GAAG,EAAE,CAAC;~~QAE9C~~,wCAAwC;QACxC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC5B,gFAAgF;YAChF,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5C,MAAM,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzE,IAAI,CAAC,cAAc,EAAE,CAAC;oBAClB,SAAS;gBACb,CAAC;YACL,CAAC;YAED,8CAA8C;YAC9C,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACf,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC;gBAEpC,iFAAiF;gBACjF,4EAA4E;gBAC5E,yFAAyF;gBACzF,IAAI,UAAU,GAAS,GAAG,CAAC;gBAC3B,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;oBACzB,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;oBACrD,IAAI,CAAC,UAAU,EAAE,CAAC;wBACd,mDAAmD;wBACnD,SAAS;oBACb,CAAC;oBACD,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC;gBACjC,CAAC;gBAED,wEAAwE;gBACxE,~~MAAM~~,OAAO,GAAW,OAAO,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;~~gBAEtD~~,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACrB,+EAA+E;oBAC/E,oEAAoE;oBACpE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;oBAC3E,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAClC,CAAC;YACL,CAAC;iBAAM,IAAI,IAAI,CAAC,sBAAsB,EAAE,CAAC;gBACrC,6FAA6F;gBAE7F,MAAM,YAAY,GAAS,MAAA,SAAS,CAAC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,0CAAE,IAAI,CAAC;gBAE7E,IAAI,YAAY,EAAE,CAAC;oBACf,0DAA0D;oBAC1D,IAAI,YAAY,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;wBACzC,IACI,YAAY,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;4BAC/C,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;4BAClD,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,kBAAkB;4BACxD,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe;4BAClD,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,SAAS,EAC/C,CAAC;4BACC,IAAI,YAAY,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gCACtC,+CAA+C;gCAC/C,4BAA4B;gCAC5B,IAAI,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oCAClD,qCAAqC;oCACrC,MAAM,kBAAkB,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;oCACrD,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;oCAE5E,IAAI,gBAAgB,EAAE,CAAC;wCACnB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;wCAC9D,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oCAClC,CAAC;gCACL,CAAC;qCAAM,IACH,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,oBAAoB;oCACvD,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,yBAAyB,EAC9D,CAAC;oCACC,MAAM,kBAAkB,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;oCACrD,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;oCAChE,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gCAClC,CAAC;4BACL,CAAC;wBACL,CAAC;oBACL,CAAC;gBACL,CAAC;YACL,CAAC;iBAAM,IAAI,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBACnC,MAAM,YAAY,GAAS,MAAA,SAAS,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,0CAAE,IAAI,CAAC;gBAC3E,MAAM,OAAO,GAAG,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC;gBAC/C,MAAM,gBAAgB,GAAG,IAAI,CAAC,oBAAoB,CAAC,gBAAgB,CAAC;gBAEpE,IAAI,YAAY,IAAI,gBAAgB,EAAE,CAAC;oBACnC,MAAM,cAAc,GAAG,8BAA8B,CACjD,YAAY,EACZ,OAAO,EACP,SAAS,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC,KAAK,CAClD,CAAC;oBAEF,IAAI,cAAc,EAAE,CAAC;wBACjB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;wBAC5D,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAClC,CAAC;gBACL,CAAC;qBAAM,IAAI,YAAY,EAAE,CAAC;oBACtB,MAAM,cAAc,GAAG,oBAAoB,CACvC,YAAY,EACZ,SAAS,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC,KAAK,CAClD,CAAC;oBAEF,IAAI,cAAc,EAAE,CAAC;wBACjB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;wBAC5D,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAClC,CAAC;gBACL,CAAC;YACL,CAAC;QACL,CAAC;QAED,qEAAqE;QACrE,IAAI,cAAc,CAAC,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,QAAQ,IAAI,CAAC,IAAI,oBAAoB,KAAK,CAAC,EAAE,EAAE,CAAC;YAChE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC9E,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC;YAE5C,sDAAsD;YACtD,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YACrC,CAAC;iBAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;gBACjC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;YACvC,CAAC;iBAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACpC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;YACxC,CAAC;iBAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBAClC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;YACpC,CAAC;YAED,OAAO,CAAC,GAAG,CACP,SAAS,CAAC,IAAI,EAAE;gBACZ,QAAQ,EAAE,YAAY;gBACtB,cAAc,EAAE,IAAI;gBACpB,KAAK,EAAE,SAAS;aACnB,CAAC,CACL,CAAC;YAEF,QAAQ,CAAC,IAAI,CAAC;gBACV,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,eAAe,EAAE,IAAI,CAAC,WAAW;gBACjC,UAAU,EAAE,IAAI,CAAC,MAAM;gBACvB,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,OAAO;gBAChB,eAAe,EAAE,MAAM,KAAK,CAAC,EAAE,OAAO,IAAI,EAAE;aAC/C,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AACpB,CAAC,CAAA,CAAC;AAEF,eAAe,aAAa,CAAC"}
1	+ {"version":3,"file":"astEngine.js","sourceRoot":"","sources":["../../../src/analyze/engine/astEngine.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,MAAM,MAAM,eAAe,CAAC;AAEnC,OAAO,UAAU,MAAM,kBAAkB,CAAC;AAC1C,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC;AACrC,OAAO,OAAO,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,yBAAyB,EAAE,MAAM,uDAAuD,CAAC;AAClG,OAAO,EAAE,8BAA8B,EAAE,MAAM,4DAA4D,CAAC;AAC5G,OAAO,EAAE,oBAAoB,EAAE,MAAM,kDAAkD,CAAC;AACxF,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAa,MAAM,uCAAuC,CAAC;AAGnG;;;;;;;;;;GAUG;AACH,MAAM,aAAa,GAAG,CAAO,IAAU,EAAE,cAAsB,EAA2B,EAAE;;IACxF,IAAI,QAAQ,GAAmB,EAAE,CAAC;IAElC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;QAChD,qCAAqC;QACrC,IAAI,GAAG,CAAC;QACR,IAAI,CAAC;YACD,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE;gBAC3B,UAAU,EAAE,aAAa;gBACzB,OAAO,EAAE,CAAC,KAAK,EAAE,YAAY,CAAC;gBAC9B,aAAa,EAAE,IAAI;aACtB,CAAC,CAAC;QACP,CAAC;QAAC,WAAM,CAAC;YACL,SAAS;QACb,CAAC;QAED,IAAI,SAAS,GAAsE,EAAE,CAAC;QACtF,MAAM,cAAc,GAAgB,IAAI,GAAG,EAAE,CAAC;QAC9C,6EAA6E;QAC7E,yCAAyC;QACzC,MAAM,UAAU,GAAwC,EAAE,CAAC;QAE3D,wCAAwC;QACxC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC5B,gFAAgF;YAChF,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5C,MAAM,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzE,IAAI,CAAC,cAAc,EAAE,CAAC;oBAClB,SAAS;gBACb,CAAC;YACL,CAAC;YAED,8CAA8C;YAC9C,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACf,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC;gBAEpC,iFAAiF;gBACjF,4EAA4E;gBAC5E,yFAAyF;gBACzF,IAAI,UAAU,GAAS,GAAG,CAAC;gBAC3B,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;oBACzB,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;oBACrD,IAAI,CAAC,UAAU,EAAE,CAAC;wBACd,mDAAmD;wBACnD,SAAS;oBACb,CAAC;oBACD,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC;gBACjC,CAAC;gBAED,wEAAwE;gBACxE,IAAI,OAAO,GAAW,OAAO,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;gBAEpD,yEAAyE;gBACzE,uEAAuE;gBACvE,gEAAgE;gBAChE,oDAAoD;gBACpD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;oBAC/C,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;oBAC9C,MAAM,WAAW,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;oBAC9C,IAAI,CAAC,WAAW,EAAE,CAAC;wBACf,sDAAsD;wBACtD,SAAS;oBACb,CAAC;oBACD,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;wBAC9B,MAAM,WAAW,GAAG,WAAW,CAAC,QAAQ,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;wBAC/D,UAAU,CAAC,cAAc,CAAC,GAAG,YAAY,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;oBAChE,CAAC;oBACD,MAAM,KAAK,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC;oBACzC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;gBACtE,CAAC;gBAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACrB,+EAA+E;oBAC/E,oEAAoE;oBACpE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;oBAC3E,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAClC,CAAC;YACL,CAAC;iBAAM,IAAI,IAAI,CAAC,sBAAsB,EAAE,CAAC;gBACrC,6FAA6F;gBAE7F,MAAM,YAAY,GAAS,MAAA,SAAS,CAAC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,0CAAE,IAAI,CAAC;gBAE7E,IAAI,YAAY,EAAE,CAAC;oBACf,0DAA0D;oBAC1D,IAAI,YAAY,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;wBACzC,IACI,YAAY,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;4BAC/C,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;4BAClD,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,kBAAkB;4BACxD,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe;4BAClD,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,SAAS,EAC/C,CAAC;4BACC,IAAI,YAAY,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gCACtC,+CAA+C;gCAC/C,4BAA4B;gCAC5B,IAAI,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oCAClD,qCAAqC;oCACrC,MAAM,kBAAkB,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;oCACrD,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;oCAE5E,IAAI,gBAAgB,EAAE,CAAC;wCACnB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;wCAC9D,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oCAClC,CAAC;gCACL,CAAC;qCAAM,IACH,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,oBAAoB;oCACvD,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,yBAAyB,EAC9D,CAAC;oCACC,MAAM,kBAAkB,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;oCACrD,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;oCAChE,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gCAClC,CAAC;4BACL,CAAC;wBACL,CAAC;oBACL,CAAC;gBACL,CAAC;YACL,CAAC;iBAAM,IAAI,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBACnC,MAAM,YAAY,GAAS,MAAA,SAAS,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,0CAAE,IAAI,CAAC;gBAC3E,MAAM,OAAO,GAAG,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC;gBAC/C,MAAM,gBAAgB,GAAG,IAAI,CAAC,oBAAoB,CAAC,gBAAgB,CAAC;gBAEpE,IAAI,YAAY,IAAI,gBAAgB,EAAE,CAAC;oBACnC,MAAM,cAAc,GAAG,8BAA8B,CACjD,YAAY,EACZ,OAAO,EACP,SAAS,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC,KAAK,CAClD,CAAC;oBAEF,IAAI,cAAc,EAAE,CAAC;wBACjB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;wBAC5D,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAClC,CAAC;gBACL,CAAC;qBAAM,IAAI,YAAY,EAAE,CAAC;oBACtB,MAAM,cAAc,GAAG,oBAAoB,CACvC,YAAY,EACZ,SAAS,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC,KAAK,CAClD,CAAC;oBAEF,IAAI,cAAc,EAAE,CAAC;wBACjB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;wBAC5D,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAClC,CAAC;gBACL,CAAC;YACL,CAAC;QACL,CAAC;QAED,qEAAqE;QACrE,IAAI,cAAc,CAAC,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,QAAQ,IAAI,CAAC,IAAI,oBAAoB,KAAK,CAAC,EAAE,EAAE,CAAC;YAChE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC9E,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC;YAE5C,sDAAsD;YACtD,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YACrC,CAAC;iBAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;gBACjC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;YACvC,CAAC;iBAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACpC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;YACxC,CAAC;iBAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBAClC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;YACpC,CAAC;YAED,OAAO,CAAC,GAAG,CACP,SAAS,CAAC,IAAI,EAAE;gBACZ,QAAQ,EAAE,YAAY;gBACtB,cAAc,EAAE,IAAI;gBACpB,KAAK,EAAE,SAAS;aACnB,CAAC,CACL,CAAC;YAEF,QAAQ,CAAC,IAAI,CAAC;gBACV,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,eAAe,EAAE,IAAI,CAAC,WAAW;gBACjC,UAAU,EAAE,IAAI,CAAC,MAAM;gBACvB,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,OAAO;gBAChB,eAAe,EAAE,MAAM,KAAK,CAAC,EAAE,OAAO,IAAI,EAAE;aAC/C,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AACpB,CAAC,CAAA,CAAC;AAEF,eAAe,aAAa,CAAC"}

package/build/analyze/engine/index.js CHANGED Viewed

@@ -35,7 +35,7 @@ export const engine = (rule, mappedJsonData, openapiData, tech) => __awaiter(voi
                 techValid = false;
             }
         }
-        if (techValid || tech === "all") {
+        if (techValid || tech === "all" || rule.tech.includes("all")) {
             findings.push(...(yield requestEngine(rule, openapiData)));
         }
     }
@@ -49,7 +49,7 @@ export const engine = (rule, mappedJsonData, openapiData, tech) => __awaiter(voi
                 techValid = false;
             }
         }
-        if (techValid || tech === "all") {
+        if (techValid || tech === "all" || rule.tech.includes("all")) {
             findings.push(...(yield astEngine(rule, mappedJsonData)));
         }
     }

package/build/analyze/engine/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyze/engine/index.ts"],"names":[],"mappings":";;;;;;;;;AAGA,OAAO,aAAa,MAAM,oBAAoB,CAAC;AAC/C,OAAO,SAAS,MAAM,gBAAgB,CAAC;AAGvC;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,MAAM,GAAG,CAClB,IAAU,EACV,cAAkC,EAClC,WAAoC,EACpC,~~IAAoB~~,~~EACe~~,EAAE;IACrC,yGAAyG;IAEzG,IAAI,QAAQ,GAAmB,EAAE,CAAC;IAElC,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC1B,IAAI,CAAC,WAAW,EAAE,CAAC;YACf,OAAO;QACX,CAAC;QAED,IAAI,SAAS,GAAG,IAAI,CAAC;QACrB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,SAAS,GAAG,KAAK,CAAC;YACtB,CAAC;QACL,CAAC;QAED,IAAI,SAAS,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;~~YAC9B~~,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;SAAM,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,EAAE,CAAC;YAClB,OAAO;QACX,CAAC;QAED,IAAI,SAAS,GAAG,IAAI,CAAC;QACrB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,SAAS,GAAG,KAAK,CAAC;YACtB,CAAC;QACL,CAAC;QAED,IAAI,SAAS,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;~~YAC9B~~,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,SAAS,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC;QAC9D,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AACpB,CAAC,CAAA,CAAC;AAEF,eAAe,MAAM,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyze/engine/index.ts"],"names":[],"mappings":";;;;;;;;;AAGA,OAAO,aAAa,MAAM,oBAAoB,CAAC;AAC/C,OAAO,SAAS,MAAM,gBAAgB,CAAC;AAGvC;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,MAAM,GAAG,CAClB,IAAU,EACV,cAAkC,EAClC,WAAoC,EACpC,IAA4B,EACO,EAAE;IACrC,yGAAyG;IAEzG,IAAI,QAAQ,GAAmB,EAAE,CAAC;IAElC,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC1B,IAAI,CAAC,WAAW,EAAE,CAAC;YACf,OAAO;QACX,CAAC;QAED,IAAI,SAAS,GAAG,IAAI,CAAC;QACrB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,SAAS,GAAG,KAAK,CAAC;YACtB,CAAC;QACL,CAAC;QAED,IAAI,SAAS,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;SAAM,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,EAAE,CAAC;YAClB,OAAO;QACX,CAAC;QAED,IAAI,SAAS,GAAG,IAAI,CAAC;QACrB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,SAAS,GAAG,KAAK,CAAC;YACtB,CAAC;QACL,CAAC;QAED,IAAI,SAAS,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,SAAS,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC;QAC9D,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AACpB,CAAC,CAAA,CAAC;AAEF,eAAe,MAAM,CAAC"}

package/build/analyze/helpers/engineHelpers/taintFlow.js ADDED Viewed

@@ -0,0 +1,218 @@
+import _traverse from "@babel/traverse";
+const traverse = _traverse.default;
+const memberChainString = (node) => {
+    if (node.type === "Identifier")
+        return node.name;
+    if (node.type === "ThisExpression")
+        return "this";
+    if (node.type === "MemberExpression") {
+        if (node.computed)
+            return null;
+        if (node.property.type !== "Identifier")
+            return null;
+        const obj = memberChainString(node.object);
+        if (!obj)
+            return null;
+        return `${obj}.${node.property.name}`;
+    }
+    return null;
+};
+const collectIdsFromPattern = (node) => {
+    if (!node)
+        return [];
+    if (node.type === "Identifier")
+        return [node.name];
+    if (node.type === "ObjectPattern") {
+        return node.properties.flatMap((p) => {
+            if (p.type === "ObjectProperty")
+                return collectIdsFromPattern(p.value);
+            if (p.type === "RestElement")
+                return collectIdsFromPattern(p.argument);
+            return [];
+        });
+    }
+    if (node.type === "ArrayPattern") {
+        return node.elements.flatMap((e) => (e ? collectIdsFromPattern(e) : []));
+    }
+    if (node.type === "AssignmentPattern")
+        return collectIdsFromPattern(node.left);
+    if (node.type === "RestElement")
+        return collectIdsFromPattern(node.argument);
+    return [];
+};
+const expressionIsTainted = (path, taint) => {
+    if (taint.sourceNodes.has(path.node))
+        return true;
+    let tainted = false;
+    const visit = (p) => {
+        if (tainted)
+            return;
+        if (taint.sourceNodes.has(p.node)) {
+            tainted = true;
+            p.stop();
+            return;
+        }
+        if (p.node.type === "Identifier") {
+            // skip identifiers that are property keys / declarations themselves
+            const parent = p.parent;
+            if (parent &&
+                ((parent.type === "MemberExpression" && parent.property === p.node && !parent.computed) ||
+                    (parent.type === "ObjectProperty" && parent.key === p.node && !parent.computed) ||
+                    (parent.type === "VariableDeclarator" && parent.id === p.node) ||
+                    (parent.type === "FunctionDeclaration" && parent.id === p.node) ||
+                    (parent.type === "ClassDeclaration" && parent.id === p.node))) {
+                return;
+            }
+            const binding = p.scope.getBinding(p.node.name);
+            if (binding && taint.bindings.has(binding.path)) {
+                tainted = true;
+                p.stop();
+                return;
+            }
+        }
+        if (p.node.type === "MemberExpression") {
+            const chain = memberChainString(p.node);
+            if (chain && taint.memberChains.has(chain)) {
+                tainted = true;
+                p.stop();
+                return;
+            }
+        }
+    };
+    visit(path);
+    if (!tainted) {
+        path.traverse({
+            enter(p) {
+                visit(p);
+            },
+        });
+    }
+    return tainted;
+};
+/**
+ * Compute the taint info for a chunk AST given the source nodes (URL-derived reads).
+ *
+ * Performs scope-aware iterative propagation:
+ *   - Variable declarators / assignment expressions whose right-hand side
+ *     contains a tainted source node or references a tainted binding/member
+ *     chain are themselves tainted.
+ *   - Tainted bindings are tracked by their declaration NodePath; tainted
+ *     member chains (e.g. `R.current`) are tracked as strings.
+ */
+export const computeTaint = (ast, sourceNodes) => {
+    const taint = {
+        bindings: new Set(),
+        memberChains: new Set(),
+        sourceNodes: new Set(sourceNodes),
+    };
+    // Bound iteration count to avoid pathological cases
+    const maxRounds = 8;
+    for (let round = 0; round < maxRounds; round++) {
+        let changed = false;
+        traverse(ast, {
+            VariableDeclarator(path) {
+                if (!path.node.init)
+                    return;
+                const initPath = path.get("init");
+                if (!expressionIsTainted(initPath, taint))
+                    return;
+                const names = collectIdsFromPattern(path.node.id);
+                for (const name of names) {
+                    const binding = path.scope.getBinding(name);
+                    if (binding && !taint.bindings.has(binding.path)) {
+                        taint.bindings.add(binding.path);
+                        changed = true;
+                    }
+                }
+            },
+            AssignmentExpression(path) {
+                const rightPath = path.get("right");
+                if (!expressionIsTainted(rightPath, taint))
+                    return;
+                const left = path.node.left;
+                if (left.type === "Identifier") {
+                    const binding = path.scope.getBinding(left.name);
+                    if (binding && !taint.bindings.has(binding.path)) {
+                        taint.bindings.add(binding.path);
+                        changed = true;
+                    }
+                }
+                else if (left.type === "MemberExpression") {
+                    const chain = memberChainString(left);
+                    if (chain && !taint.memberChains.has(chain)) {
+                        taint.memberChains.add(chain);
+                        changed = true;
+                    }
+                }
+                else if (left.type === "ObjectPattern" || left.type === "ArrayPattern") {
+                    const names = collectIdsFromPattern(left);
+                    for (const name of names) {
+                        const binding = path.scope.getBinding(name);
+                        if (binding && !taint.bindings.has(binding.path)) {
+                            taint.bindings.add(binding.path);
+                            changed = true;
+                        }
+                    }
+                }
+            },
+        });
+        if (!changed)
+            break;
+    }
+    return taint;
+};
+const getSinkValueNodes = (sink) => {
+    switch (sink.type) {
+        case "AssignmentExpression":
+            return [sink.right];
+        case "CallExpression":
+        case "NewExpression": {
+            const args = sink.arguments;
+            return args.filter((a) => a && a.type !== "SpreadElement");
+        }
+        case "ObjectProperty": {
+            const v = sink.value;
+            return v ? [v] : [];
+        }
+        case "JSXAttribute": {
+            // Boolean JSX attributes (e.g. `<div hidden />`) have no value node.
+            const v = sink.value;
+            return v ? [v] : [];
+        }
+        default:
+            return [sink];
+    }
+};
+/**
+ * Returns true when `sinkNode` consumes a value tainted by the URL source(s) used
+ * to compute `taint`. Walks the sink's value-side subtree (RHS for assignments,
+ * arguments for calls/new, value for object/JSX properties) and looks for:
+ *   - direct references to a tainted source subtree,
+ *   - identifiers whose binding is in `taint.bindings`,
+ *   - member-expression chains in `taint.memberChains`.
+ *
+ * To resolve scope-aware bindings, we re-traverse the AST and pick up paths
+ * whose nodes match one of the value-side subtrees.
+ */
+export const sinkConsumesTaint = (ast, sinkNode, taint) => {
+    const valueRoots = new Set(getSinkValueNodes(sinkNode));
+    if (valueRoots.size === 0)
+        return false;
+    let consumed = false;
+    traverse(ast, {
+        enter(path) {
+            if (consumed) {
+                path.stop();
+                return;
+            }
+            if (!valueRoots.has(path.node))
+                return;
+            if (expressionIsTainted(path, taint)) {
+                consumed = true;
+                path.stop();
+            }
+        },
+    });
+    return consumed;
+};
+//# sourceMappingURL=taintFlow.js.map

package/build/analyze/helpers/engineHelpers/taintFlow.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"taintFlow.js","sourceRoot":"","sources":["../../../../src/analyze/helpers/engineHelpers/taintFlow.ts"],"names":[],"mappings":"AACA,OAAO,SAAgC,MAAM,iBAAiB,CAAC;AAC/D,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC;AAQnC,MAAM,iBAAiB,GAAG,CAAC,IAAU,EAAiB,EAAE;IACpD,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC,IAAI,CAAC;IACjD,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB;QAAE,OAAO,MAAM,CAAC;IAClD,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACnC,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC/B,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC;QACrD,MAAM,GAAG,GAAG,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,GAAG,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,qBAAqB,GAAG,CAAC,IAAU,EAAY,EAAE;IACnD,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;YACjC,IAAI,CAAC,CAAC,IAAI,KAAK,gBAAgB;gBAAE,OAAO,qBAAqB,CAAC,CAAC,CAAC,KAAa,CAAC,CAAC;YAC/E,IAAI,CAAC,CAAC,IAAI,KAAK,aAAa;gBAAE,OAAO,qBAAqB,CAAC,CAAC,CAAC,QAAgB,CAAC,CAAC;YAC/E,OAAO,EAAE,CAAC;QACd,CAAC,CAAC,CAAC;IACP,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACrF,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB;QAAE,OAAO,qBAAqB,CAAC,IAAI,CAAC,IAAY,CAAC,CAAC;IACvF,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa;QAAE,OAAO,qBAAqB,CAAC,IAAI,CAAC,QAAgB,CAAC,CAAC;IACrF,OAAO,EAAE,CAAC;AACd,CAAC,CAAC;AAEF,MAAM,mBAAmB,GAAG,CAAC,IAAc,EAAE,KAAgB,EAAW,EAAE;IACtE,IAAI,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,KAAK,GAAG,CAAC,CAAW,EAAE,EAAE;QAC1B,IAAI,OAAO;YAAE,OAAO;QACpB,IAAI,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YAChC,OAAO,GAAG,IAAI,CAAC;YACf,CAAC,CAAC,IAAI,EAAE,CAAC;YACT,OAAO;QACX,CAAC;QACD,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC/B,oEAAoE;YACpE,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;YACxB,IACI,MAAM;gBACN,CAAC,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;oBACnF,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,IAAI,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;oBAC/E,CAAC,MAAM,CAAC,IAAI,KAAK,oBAAoB,IAAK,MAAc,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC;oBACvE,CAAC,MAAM,CAAC,IAAI,KAAK,qBAAqB,IAAK,MAAc,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC;oBACxE,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,IAAK,MAAc,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,EAC5E,CAAC;gBACC,OAAO;YACX,CAAC;YACD,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChD,IAAI,OAAO,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC9C,OAAO,GAAG,IAAI,CAAC;gBACf,CAAC,CAAC,IAAI,EAAE,CAAC;gBACT,OAAO;YACX,CAAC;QACL,CAAC;QACD,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;YACrC,MAAM,KAAK,GAAG,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YACxC,IAAI,KAAK,IAAI,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzC,OAAO,GAAG,IAAI,CAAC;gBACf,CAAC,CAAC,IAAI,EAAE,CAAC;gBACT,OAAO;YACX,CAAC;QACL,CAAC;IACL,CAAC,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,CAAC;IACZ,IAAI,CAAC,OAAO,EAAE,CAAC;QACX,IAAI,CAAC,QAAQ,CAAC;YACV,KAAK,CAAC,CAAC;gBACH,KAAK,CAAC,CAAC,CAAC,CAAC;YACb,CAAC;SACJ,CAAC,CAAC;IACP,CAAC;IACD,OAAO,OAAO,CAAC;AACnB,CAAC,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,GAAS,EAAE,WAAmB,EAAa,EAAE;IACtE,MAAM,KAAK,GAAc;QACrB,QAAQ,EAAE,IAAI,GAAG,EAAY;QAC7B,YAAY,EAAE,IAAI,GAAG,EAAU;QAC/B,WAAW,EAAE,IAAI,GAAG,CAAO,WAAW,CAAC;KAC1C,CAAC;IAEF,oDAAoD;IACpD,MAAM,SAAS,GAAG,CAAC,CAAC;IACpB,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,SAAS,EAAE,KAAK,EAAE,EAAE,CAAC;QAC7C,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,QAAQ,CAAC,GAAG,EAAE;YACV,kBAAkB,CAAC,IAAI;gBACnB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;oBAAE,OAAO;gBAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAa,CAAC;gBAC9C,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC;oBAAE,OAAO;gBAClD,MAAM,KAAK,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAU,CAAC,CAAC;gBAC1D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACvB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;oBAC5C,IAAI,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC/C,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;wBACjC,OAAO,GAAG,IAAI,CAAC;oBACnB,CAAC;gBACL,CAAC;YACL,CAAC;YACD,oBAAoB,CAAC,IAAI;gBACrB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAa,CAAC;gBAChD,IAAI,CAAC,mBAAmB,CAAC,SAAS,EAAE,KAAK,CAAC;oBAAE,OAAO;gBACnD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAY,CAAC;gBACpC,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACjD,IAAI,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC/C,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;wBACjC,OAAO,GAAG,IAAI,CAAC;oBACnB,CAAC;gBACL,CAAC;qBAAM,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBAC1C,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;oBACtC,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;wBAC1C,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;wBAC9B,OAAO,GAAG,IAAI,CAAC;oBACnB,CAAC;gBACL,CAAC;qBAAM,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,IAAI,IAAI,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;oBACvE,MAAM,KAAK,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;oBAC1C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;wBACvB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;wBAC5C,IAAI,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;4BAC/C,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;4BACjC,OAAO,GAAG,IAAI,CAAC;wBACnB,CAAC;oBACL,CAAC;gBACL,CAAC;YACL,CAAC;SACJ,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO;YAAE,MAAM;IACxB,CAAC;IAED,OAAO,KAAK,CAAC;AACjB,CAAC,CAAC;AAEF,MAAM,iBAAiB,GAAG,CAAC,IAAU,EAAU,EAAE;IAC7C,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QAChB,KAAK,sBAAsB;YACvB,OAAO,CAAC,IAAI,CAAC,KAAa,CAAC,CAAC;QAChC,KAAK,gBAAgB,CAAC;QACtB,KAAK,eAAe,CAAC,CAAC,CAAC;YACnB,MAAM,IAAI,GAAI,IAAY,CAAC,SAAmB,CAAC;YAC/C,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;QAC/D,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACpB,MAAM,CAAC,GAAI,IAAY,CAAC,KAAgC,CAAC;YACzD,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACxB,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YAClB,qEAAqE;YACrE,MAAM,CAAC,GAAI,IAAY,CAAC,KAAgC,CAAC;YACzD,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACxB,CAAC;QACD;YACI,OAAO,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;AACL,CAAC,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,GAAS,EAAE,QAAc,EAAE,KAAgB,EAAW,EAAE;IACtF,MAAM,UAAU,GAAG,IAAI,GAAG,CAAO,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9D,IAAI,UAAU,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAExC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE;QACV,KAAK,CAAC,IAAI;YACN,IAAI,QAAQ,EAAE,CAAC;gBACX,IAAI,CAAC,IAAI,EAAE,CAAC;gBACZ,OAAO;YACX,CAAC;YACD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO;YACvC,IAAI,mBAAmB,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;gBACnC,QAAQ,GAAG,IAAI,CAAC;gBAChB,IAAI,CAAC,IAAI,EAAE,CAAC;YAChB,CAAC;QACL,CAAC;KACJ,CAAC,CAAC;IACH,OAAO,QAAQ,CAAC;AACpB,CAAC,CAAC"}

package/build/analyze/helpers/schemas.js CHANGED Viewed

@@ -20,6 +20,7 @@ const esqueryStepSchema = z.object({
     type: z.literal("esquery"),
     query: z.string(),
     inScopeOf: z.string().optional(),
+    taintFrom: z.string().optional(),
 });
 const PostMessageFuncResolverStepSchema = z.object({
     name: z.string(),
@@ -43,7 +44,8 @@ export const ruleSchema = z.object({
     name: z.string(),
     author: z.string(),
     description: z.string(),
-    tech: z.array(z.literal("next")),
+    js_recon_version: z.string(),
+    tech: z.array(z.enum(["next", "vue", "all"])),
     severity: z.enum(["info", "low", "medium", "high"]),
     type: z.enum(["request", "ast"]),
     steps: z.array(stepSchema),

package/build/analyze/helpers/schemas.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../../src/analyze/helpers/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC;IAC9B,CAAC,CAAC,MAAM,CAAC;QACL,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;QAC1B,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACzC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACnB,CAAC;IACF,CAAC,CAAC,MAAM,CAAC;QACL,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;QACtB,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACzC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACnB,CAAC;IACF,CAAC,CAAC,MAAM,CAAC;QACL,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;QACzB,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACnC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACnB,CAAC;CACL,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAC1B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAC;AAEH,MAAM,iCAAiC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;CACnB,CAAC,CAAC;AAEH,MAAM,8BAA8B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC3C,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IACxB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACnB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxC,OAAO,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACrC,OAAO,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACrC,sBAAsB,EAAE,iCAAiC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,8BAA8B,CAAC,QAAQ,EAAE;CAClE,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,~~OAAO~~,CAAC,MAAM,CAAC,CAAC;~~IAChC~~,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACnD,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAChC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC;CAC7B,CAAC,CAAC"}
1	+ {"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../../src/analyze/helpers/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC;IAC9B,CAAC,CAAC,MAAM,CAAC;QACL,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;QAC1B,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACzC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACnB,CAAC;IACF,CAAC,CAAC,MAAM,CAAC;QACL,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;QACtB,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACzC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACnB,CAAC;IACF,CAAC,CAAC,MAAM,CAAC;QACL,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;QACzB,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACnC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACnB,CAAC;CACL,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAC1B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAC;AAEH,MAAM,iCAAiC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;CACnB,CAAC,CAAC;AAEH,MAAM,8BAA8B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC3C,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IACxB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACnB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxC,OAAO,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACrC,OAAO,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACrC,sBAAsB,EAAE,iCAAiC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,8BAA8B,CAAC,QAAQ,EAAE;CAClE,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE;IAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;IAC7C,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACnD,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAChC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC;CAC7B,CAAC,CAAC"}